.png)
问题出在我的 Apache 反向代理上,用于安全连接到后端主机上的 Prestashop 前端(管理面板可以通过 SSL 正确访问)。我怀疑问题出在 PrestaShop 后端,因为在同一端点上通过 SSL 重定向到静态页面可以正常工作。基础架构如下所示:
Apache 2.4(proxy1)-> Apache 2.4 prestashop(web1)-> 其他后端
- 端口 80 从代理到 web1 重定向上的 prestashop/静态页面 - 确定
- 端口 443 从代理重定向到 web1 上的静态页面 - 确定
- 端口 443 从代理到 prestashop 在 web1 上重定向 - NOK -> ERR_TOO_MANY_REDIRECTS
打开防火墙并直接访问 PrestaShop(internet -> web1)时,http 和 https 均能正常工作,并且没有重定向循环。
DNS 名称已分配给反向代理主机。后端 prestashop 和 db 主机无法通过互联网访问,并且位于独立的私有网络中。
反向代理配置:
<VirtualHost *:80>
ServerName mydsn.com
ProxyPass / http://web1:80/
ProxyPassReverse / http://web1:80/
LogLevel info
ErrorLog logs/proxy_error.log
CustomLog logs/proxy_access.log combined
</VirtualHost>
Listen 443
<VirtualHost *:443>
ServerName mydns.com
LogLevel info
ErrorLog logs/ssl_proxy_error.log
CustomLog logs/ssl_proxy_access.log combined
SSLEngine on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCertificateFile /location/.crt
SSLCertificateKeyFile /location/.key
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always set X-Frame-Options DENY
Header set X-Content-Type-Options "nosniff"
SSLProxyEngine on
SSLProxyCheckPeerCN Off
ProxyPass / https://web1:443/
ProxyPassReverse / https://web1:443/
</VirtualHost>
Prestashop web1 配置:
<VirtualHost *:80>
DocumentRoot /var/www/html/prestashop
<Directory /var/www/html>
AllowOverride All
Options +Indexes
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/httpd/prestashop.error.log
CustomLog /var/log/httpd/prestashop.access.log combined
</VirtualHost>
Listen 443
<VirtualHost *:443>
DocumentRoot /var/www/html/prestashop
SSLEngine on
SSLCertificateFile /location/.crt
SSLCertificateKeyFile /location/.key
<Directory /var/www/html/prestashop>
AllowOverride All
Options +Indexes
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/httpd/ssl_prestashop_error.log
CustomLog /var/log/httpd/ssl_prestashop_access.log combined
</VirtualHost>
来自代理 1 的 SSL 访问日志
[14/Oct/2020:22:39:43 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:39:43 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:39:43+0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:39:43 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
来自代理 1 的 SSL 错误日志
[Wed Oct 14 22:44:04.765460 2020] [ssl:info] [pid 4039:tid 140053310199552] [client x.x.x.x:52829] AH01964: Connection to child 192 established (server domain.com:443)
[Wed Oct 14 22:44:04.767596 2020] [ssl:info] [pid 4039:tid 140053268236032] [client x.x.x.x:52828] AH01964: Connection to child 197 established (server domain.com:443)
[Wed Oct 14 22:44:04.891242 2020] [ssl:info] [pid 4039:tid 140053268236032] [remote 10.0.0.3:443] AH01964: Connection to child 0 established (server domain.com:443)
来自 web1 (prestashop) 的 SSL 访问日志
[14/Oct/2020:22:49:11 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:49:11 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:49:11 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
[14/Oct/2020:22:49:12 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36"
来自 web1 (prestashop) 的 SSL 错误日志
[Wed Oct 14 22:47:39.141570 2020] [ssl:info] [pid 4872:tid 139643739694848] [client 10.0.0.2:43868] AH01964: Connection to child 199 established (server myfetish.pl:443)
答案1
我找不到上述问题的任何答案,所以我转向了另一种解决方案。我设置了一个带有 SSL 终止的 nginx 反向代理。这样 http 和 https 流量都指向后端的端口 80。不再有重定向循环